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The Legislative Audit Committee 
of the Montana State Legislature: 

This report is our EDP audit (98DP-10) of the Public Employees' Retirement Division's 
internal controls relating to its computer-based retirement system applications. This report 
addresses the control weaknesses we identified in the system. The department's written 
response to our audit recommendations is included in the back of the report. 
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Report Summary 



Introduction 



This is an electronic data processing audit of controls relating to the 
computer-based applications which process and store contribution and 
disbursement information for members of the state retirement systems. 
These systems are managed and maintained by the Public Employees' 
Retirement Division (PERD). 



Application Controls 



The major functional areas of PERD' s computer-based system can be 
broken down into the following three categories: 1) Contributions; 2) 
Maintenance of Member Accounts; and, 3) Disbursements. We 
reviewed controls over the input, processing, and output relating to these 
systems. Overall, we concluded the PERD computer-based 
applications provide accurate processing of plan contributions and 
retirement benefits. However, we found areas where access and input 
controls over the application could be improved. 



Programmer Access to 
Production Programs 
Should be Restricted 



We reviewed electronic access rights given for the PERD programs and 
data within the production system. We found that two ISD 
programmers and two independent programmers contracted by ISD have 
unrestricted access to the production programs and data, which includes 
access to the individual PERD members' accounts. 



No one person should have incompatible duties that would permit the 
perpetration and concealment of material errors or irregularities. The 
present programmer access increases the risk of unauthorized changes to 
member information such as member contributions, retiree status, 
addresses, etc., as well as the risk of unauthorized changes to the system 
programs without detection. 

Because of their high degree of technical knowledge, programmers 
should not have unrestricted access to production programs or files. 
Their programming activities should be restricted to test programs and 
files; or at a minimum, all changes made by the programmers should be 
logged, reviewed, and approved by PERD management. 
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Report Summary 



Refund Payouts Should be 
Reviewed 



When PERD members terminate employment with a public agency, 
their status on the retirement system becomes "inactive." Once inactive, 
members may request a refund of their contributions and the interest 
accumulated on those contributions. During our review, we determined 
that one employee is responsible for the entire refund process, which 
increases the risk that inappropriate refunds could be processed without 
detection. 



In order to mitigate potential risk, prior to payout of the refunds another 
employee should compare the computer-generated report of pending 
refunds to member files to ensure there is proper authorization from the 
member. 



Search for Inactive 
Members 



When members terminate public employment, they are changed to 
"inactive" status on the contributions database. In our review, we found 
over 10,000 inactive members on the system with contributions and 
accumulated interest amounting to nearly $1.8 million. 



Although active members receive annual statements of contributions 
and interest, inactive members do not receive statements unless 
requested. Through the years, the members may have forgotten they 
have contributions on account or may die without informing their 
beneficiaries of the contributions. This results in many aging member 
accounts that may never be claimed. In order to fulfill their fiduciary 
responsibility to the members, the division should establish procedures 
for inactive member notification on aging accounts. 
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Introduction and System 
Background 



This is an electronic data processing audit of controls relating to the 
computer-based applications which process and store contribution and 
disbursement information for members of the state retirement systems. 
These systems are managed and maintained by the Public Employees' 
Retirement Division (PERD). 



The Montana Public Employees' Retirement Division (PERD) manages 
the activities of seven retirement systems and a compensation act as 
listed below: 

Public Employees' Retirement System (PERS) 
Municipal Pohce Officers' Retirement System (MPORS) 
Game Wardens' and Peace Officers' Retirement System 
(GWPORS) 
- Sheriffs' Retirement System (SRS) 
Judges' Retirement System (JRS) 
Highway Patrol Officers' Retirement System (HPORS) 
Firefighters' Unified Retirement System (FURS) 
Volunteer Firefighters' Compensation Act (VFCA) 

The division administers defined benefit retirement plans for public 
employees in the State of Montana. The plans have net assets in excess 
of $2.4 billion. A total of 14,777 retired members and beneficiaries 
received retirement, disability, or survivor benefits of over $103 million, 
and 32,596 active members and their employers contributed over $124 
million in fiscal year 1996-97. These contributions and disbursements 
are recorded, processed, and tracked with the aid of the division's 
computer applications. 



Organization of Report 



This report is organized into two chapters. Chapter I provides an 
introduction, background information, and audit objectives. Chapter n 
discusses the review of controls and audit issues pertaining to the PERD 
data processing function. 
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Chapter I - Introduction and Background 



Audit Objectives 



The objectives of this audit were: 

1 . To determine if controls are in place over the PERS computerized 
application, to ensure contributions to the plan by members and 
their employers are complete, accurate, and timely; and that the 
funds are accounted for properly for each member. 

2. To determine if controls are in place over the PERS computerized 
application, to ensure benefits are authorized and approved, 
calculated correctly, input to the system correctly and in a timely 
manner, and distributed only to proper individuals. 



Audit Scope and 
Methodology 



The audit was conducted in accordance with government auditing 
standards. We compared the division's EDP controls against criteria 
established by the American Institute of Certified Public Accountants, 
United States General Accounting Office, and the information 
technology industry. 



We reviewed the division's EDP controls in relation to PERD's 
computerized applications. We reviewed input controls such as input 
authorization, edits, access controls, and error correction procedures. 
We also reviewed output controls by evaluating the accuracy and 
validity of data on system generated reports. 



Compliance 



We reviewed the division's compliance with state law, related to 
contribution percentages, eligibility requirements, and methods for 
determining retirement benefits. We determined the division to be in 
compliance with laws applicable to collection of contributions and 
disbursement of benefits as tested. 
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Chapter II - Application Controls 

The major functional areas of PERD's computer-based system can be 
broken down into the following three categories: 1) Contributions; 2) 
Maintenance of Member Accounts; and 3) Disbursements. 



Application controls consist of a combination of manual and automated 
procedures. Input controls ensure data input is authorized, all 
authorized data is input, and all data input is included in processing. 
These procedures, along with proper assignment and control of access 
privileges to the system, help ensure the overall integrity of data input, 
processed, and maintained on the system. 



PERD Applications 
Provide Accurate 
Processing Results 



The PERD computer-based applications provide accurate processing 
of plan contributions and retirement benefits. However, we found 
areas where access and input controls over the application could be 
improved, as discussed in the following sections. 



Programmer Access to 
Production Programs 
Should be Restricted 



To help facilitate system support duties, PERD contracts the services of 
the Department of Administration's Information Services Division (ISD) 
for programming and system administration support. During our 
review, we found that the ISD programmers, including two independent 
programmers contracted by ISD, have unrestricted access to the 
production programs and data, which includes access to the individual 
PERD members' accounts. 



No one person should have incompatible duties that would permit the 
perpetration and concealment of material errors or irregularities. The 
present programmer access increases the risk of unauthorized changes to 
member information, such as member contributions, retiree status, 
addresses, etc., as well as the risk of unauthorized changes to the system 
programs without detection. 

For example, the ISD programmers are state employees, with personal 
accounts on the PERD system. With unlimited access, they could make 
changes to their retirement accounts and possibly manipulate reports so 
the changes could not be detected. We reviewed their personal accounts 
and found no impropriety relating to their account balances, etc. 
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However, additional access controls should be put in place to ensure 
inappropriate changes could not be made without detection. 

Because of their high degree of technical knowledge, programmers 
should not have unrestricted access to production programs or files. 
Their programming activities should be restricted to test programs and 
files. Once the programming changes have been tested and approved on 
the test system, PERD management should be responsible for 
transferring the changes to production. 

Division personnel stated that because of the small size of the 
organization, the programmers need complete, unrestricted access in 
order to provide computer support to the PERD users. To mitigate the 
risk and ensure all changes made by the programmers are appropriate, 
all changes should be logged, reviewed, and approved by PERD 
management. 

Recommendation #1 

We recommend the division either: 

A. Remove programmer access to production programs and 
data; or, 

B. Log and review all changes to production programs and 
files made by the programmers. 



Refund Payouts Should When PERD members terminate employment with a public agency, 

be Reviewed their status on the retirement system becomes "inactive." Once inactive, 

members may request a refund of their contributions and the interest 
accumulated on those contributions. During our review, we determined 
that one employee is responsible for the entire refund process. 

The PERD refund clerk processes the refund requests, and initiates 
payments to be sent to the members. Prior to printing the warrants, the 
system creates a report of all refunds processed. The refund clerk cross- 
checks the report against the member's file to ensure all necessary forms 
are present and calculations are correct. Since the refund clerk is the 
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only person involved in the process, unauthorized refunds could be 
processed without detection. The authorization of the refund and the 
ability to initiate the payment of the refund are incompatible duties when 
they are not monitored by a second party. 

Division personnel indicated they were not aware of the potential risk, 
and that the members would eventually identify the loss to their account 
and notify PERD. However, as discussed below, there are over 10,000 
inactive members with nearly $1.8 million in contributions and interest, 
many of whom have apparently forgotten that they have contributions 
on the system (some of the members, according to their dates of birth, 
are over 97 years old). Unless specifically requested, PERD does not 
send annual statements to inactive members. Therefore, a refund paid 
against their account may not be detected for years, if at all. 

In order to mitigate potential risk prior to payout of the refunds, another 
employee should review the computer-generated report of pending 
refunds to ensure there is proper authorization from the member. 

Recommendation #2 

We recommend the division implement controls to ensure all 

refunds are properly authorized prior to payout. 



Search for Inactive 
Members 



When members terminate public employment, they are changed to 
"inactive" status on the contributions database. In our review, we found 
over 10,000 inactive members on the system, with contributions and 
accumulated interest amounting to nearly $1.8 million. Of those 
members, more than 300 are between age 65 and 97. Many of those 
accounts may never be claimed. Although active members receive 
annual statements of contributions and interest, inactive members do not 
receive statements unless requested. Division personnel stated it would 
be too difficult to maintain current addresses on all inactive members. 
Through the years, the members may have forgotten they have 
contributions on account or may die without informing their 
beneficiaries of the contributions. This results in many aging member 
accounts that may never be claimed. Twelve years ago, the division did 
a social security number match against the Department of Revenue's 
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database attempting to locate current addresses or death status for the 
inactive members. Notification cards were sent to members identifying 
unclaimed contributions on the system, encouraging them to request a 
statement from PERD. However, no searches have been done since 
1985. 

There is no state or administrative policy outlining the division's 
responsibility for notification to inactive members. However, the 
division should consider their fiduciary responsibility to the members, 
and establish procedures for member notification. 

Recommendation #3 

We recommend the division establish procedures for a periodic 

search for inactive members, to resolve aging accounts. 
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Dear Mr. Seacat: 

During the recent audit of the Public Employees' Retirement Division's Computer-Based 
Applications there were three recommendations. The following is the division's response : 



Recommendation #1: Remove programmer access to production programs and data; or, log and 
review all changes to production programs and files made by the programmers. 

Response: We concur and have begun to log and review all changes to production programs and 
data. Contracted programmers now have test access only. We now have only two supervisory ISD 
programmers who have access to the production databases. We must be able to rely on them to 
responsibly provide the services we require. They must be able to perform production recovery and 
support as we do not have the technical expertise to move programs into production. There is a daily 
'sys' journal that records all updates to the databases so all history is captured and identifiable to the 
programmer. To be more proactive we have requested that the user ID's of these two programmers 
access to the production database be "logged" on security activity reports for our daily review. 



Recommendation #2: Implement controls to ensure all refunds are properly authorized prior to 
payout. 



Response: We concur that controls need to be added to the refund process. We have added the job 

duty to our administrative support position. The incumbent will verify all refund applications to the 

refiind run. „ 
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Recommendation #3: Establish procedures for a periodic search for inactive members, to resolve 
aging accounts. 

Response: We concur. Our active database does not have the capacity to maintain addresses and we 
do not have the man-power to track and update data which is constantly changing. We are 
establishing procedures to check social security numbers of inactive members against national death 
records on an annual basis and against the bureau of vital statistics on a monthly basis. We will also 
be attempting to locate inactive members through various methods, including using the Internet 
when we get our web page in September 1998. This will also assist us in our status as a qualified 
plan under the internal revenue code. 

Thank you for the consideration extended to our staff during the audit. We endeavor to provide 
quality service to our members. Audits assist us in achieving our goal. 



Sincerely, 




Michael O'Connor 
Administrator 
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